This article focuses on end-to-end encryption (E2EE), one of the possible ways to ensure the security of data transmission. We’ll take a look at the basic principles of its work and check the apps that can provide you with end-to-end encryption functionality.
When it comes to data safety on the Internet, an average user may think that such matters as end-to-end encryption do not concern him. Indeed, in the case of chatting with friends and relatives with no personal data involved, you can rely on luck and do not worry about the safety of your messages and end-to-end encryption issues.
But nowadays, data exchange via the Internet includes online banking and shopping, sending scans of personal documents, airline tickets, etc. That’s why even if you do not own valuable corporate information, it won’t be superfluous to understand the principles of end-to-end encryption in messaging apps. Support for such functionality in enterprise apps can be critical if you want to avoid possible man-in-the-middle attacks and save valuable data from eavesdroppers.
Here we are going to describe the following:
- What is End-to-end encryption?
- How End-to-end encryption works?
- Examples of the end-to-end encryption software
- Security standards in WebRTC apps
What is End-to-end Encryption?
The majority of experts on information security admits that end-to-end encryption is one of the most reliable methods to secure data exchange. According to this approach, the messages that are transmitted between end-to-end encryption applications can be read only by the users of these apps but not by any third party. Such functionality can be achieved by using unique keys for data encryption and decryption. Only the end users can generate and store these keys.
End-to-end encryption system was designed to ensure that even if a malefactor gets access to the transmitted data, he won’t be able to decipher it. This distinctive feature of end-to-end encryption also relates to the servers that can store sent messages.
Since servers are not involved in the key generation process, all that a server “sees” is the encrypted messages transmitted between the communicating users. So, even in the case of data leak from a server nobody will be able to read the data.
Let’s take a closer look at how end-to-end encryption works to understand better how it can guarantee data safety.
How End-to-end Encryption Works?
According to the end-to-end encryption methodology, when a chatting session starts, the app of every user generates two cryptographic keys. Such keys can be generated using the PGP (Pretty Good Privacy) application. Since the PGP initial release in 1991, there has been no evidence of its hacking.
The first key is the public key.
End-to-end encryption apps exchange these keys between each other.
The second one is the secret key.
Secret key doesn’t leave the device. Using the public key, a user can only encrypt the message. To decrypt such a message, according to end-to-end encryption methodology, you should use the corresponding secret key.
It doesn’t matter if the third party can get access to the public key since it can be used only for end-to-end data encryption. That’s why you can transmit public keys over an open communication channel.
After every end-to-end encryption app has generated a pair of keys and apps have exchanged the public keys, secure communication can begin. Data such as messages, video, and audio files pass the end-to-end encryption process at the sender side before being sent to a server. Data is stored on the server until the recipient’s app can receive it. After the recipient had notified the server about the data receipt, this data can be deleted from a server or kept there for some time.
Here’s a good analogy that can help understand how end-to-end encryption apps work. Imagine that two people are talking in a foreign language. The third person that does not have the required language skills (does not have the encryption key) can’t extract any valuable information from the heard messages.
This pretty simple concept allows being sure that messages are transferred securely between two or more endpoints. The process of encryption/decryption won’t be a hard task for modern devices. Even mobile apps can handle end-to-end encryption without any troubles. Probably, the only situation that can be a source of worries is chatting with multiple users.
In this case, if you want to send a message, you have to encrypt it for each recipient. The higher the number of interlocutors, the more work your end-to-end encryption application has to do. To avoid possible lags in the app work, developers need to make extra efforts to ensure that end-to-end encryption doesn’t harm the user experience.
Now, let’s take a look at some examples of the apps that provide users with end-to-end encryption functionality.
Video Messaging Apps
1. WhatsApp Messenger
One of the most popular messengers in the world was initially released in 2009. In the first version of the app, there were no end-to-end encryption algorithms. For data transmission, WhatsApp uses an open and free protocol called XMPP. It’s based on XML and allows exchanging text messages, audio/video data, and files.
In 2012 developers of the app began to work on the end-to-end encryption features. At first, it was only about encrypted text messages. But starting from 2014 it allows exchanging encrypted text and audio/video messages.
2. Viber
This is a text and video messaging app. It is the title holder of the most popular messenger in Russia. It was released in 2010, but the support of end-to-end encryption was added only in 2016. Starting from version 6.0 texts and voice messages between individuals and groups are protected by end-to-end encryption.
But you should pay attention that this feature works only if all participants are using the latest Viber version. According to the developer’s overview of their app, it uses the same security concepts as the Signal messenger.
Encrypted Text Message Apps
1. Facebook Messenger App
Starting from October 4, 2016, Facebook Messenger app allows using end-to-end encryption. This optional feature is available in Secret Conversations mode and includes a timer that shows how long the encrypted messages will remain invisible. Since this option is not available by default, the user cares the data transmission will be safe.
2. iMessage
This messenger app for iOS was developed in 2011. At the first stage of end-to-end encryption, the message in encrypted by the combination of 1280-bit RSA public key and 128-bit AES algorithm. Then on the base of the ECDSA (Elliptic Curve Digital Signature Algorithm) algorithm, this messenger creates a signature. After that, users exchange the keys for the end-to-end encryption needs.
3. Signal Private Messenger
The signal is an example of a highly secure text messaging app with strong end-to-end encryption algorithms. The messages are encrypted by the Signal Protocol that combines prekeys, Double Ratchet Algorithm, and 3-DH handshake.
Voice calls are encrypted with SRTP and the ZRTP key-agreement protocol. Its reliability can be judged from the fact that many other messengers such as WhatsApp, Facebook Messenger, and Google Allo use it as a basic end-to-end encryption algorithm.
The Signal Protocol allows using end-to-end encrypted group chats as well. According to the researchers from Ruhr University Bochum, UK’s University of Oxford and many others, this protocol was deemed safe and secure.
4. Voxer Walkie Talkie App
Not so long ago, Voxer Walkie Talkie, a chatting app with voice messages support, has joined a list of end-to-end encryption software. Developers launched the first version of this iOS and Android app back in 2011.
The main distinctive feature of Voxer is a Live-messaging mode. It allows users to organize audio broadcasts or exchange short voice messages. You can listen to these messages as they’re coming or they can be saved so you can return to them later.
And now, Voxer developers have added end-to-end encrypted private chats to their app. From now on, all the data that you share via the private chat such as voice messages, text, or files are protected by end-to-end encryption based on Signal Protocol. Currently, the end-to-end encryption feature is available only for one-on-one chats.
At the moment, protected group chat is an expected feature. All content sent using a private chat won’t be shared with other devices. Instead, it’ll be erased right after you log out of your account.
5. Telegram Messenger
Telegram messenger appeared in 2013. It’s available both for mobile and desktop platforms. Users can exchange messages and files of any type. Even though end-to-end encryption is not available by default, you can use this feature by activating the Secret Chat mode. Before sending messages via the transport protocol (HTTP, TCP, UDP), the MTProto protocol encrypts it.
The Telegram app developers created this end-to-end encryption protocol, and it consists of three parts. The high-level component defines the method that converts API’s responses and answers into the binary code. Cryptographic layer defines the method of encryption that will be used before sending the message. The last one, the delivery component, defines the method of message delivery.
During the message preparation, to provide strong end-to-end encryption, Telegram adds the 64-bit key identifier to the body of the message. This identifier defines authorization keys of user and server. Together, they form a 256-bit key and 256-bit initialization vector. This vector is used for message encryption by the AES-256 algorithm. The encrypted message contains the following info: session, message ID, the serial number of the message, and server salt.
Security Standards in WebRTC Apps
WebRTC is a technology of building web chatting apps that is rapidly gaining popularity. Possibly the reason for such attention is the possibility to use WebRTC apps without installing any third-party add-ons. End-to-end encryption support also played a role.
After WebRTC support was added to the modern browsers, they can compete with the communication software such as Skype. Such apps can provide users with all required functionality, including message encryption. You can exchange messages and make video calls right from your web browser.
To see how these apps can look like and evaluate the usability, you can check our video:
Developing WebRTC based software with end-to-end encryption support doesn’t require using any frameworks. But despite the seeming simplicity, browser security standards in WebRTC apps leave no room for concern. According to the channel type, WebRTC app uses DTLS (Datagram Transport Layer Security or SRTP (Secure Real-time Transport Protocol) protocol.
The first one is used for data streams; the second one was designed for media streams. The security protocols ensure that the data transfer process is secured with the encryption keys. The TLS/SSL standards support allows using a secure HTTPS connection. End-to-end encryption between the peers will guarantee that no third-party will be able to get access to your data, which is particularly important in the case of the enterprise apps.
Conclusions
If you follow the trends in the development of chatting apps, it won’t be a secret that the security issues are a source of concern for both users and developers. Users become more choosy and increasingly paying attention to the safety level of the messaging apps they use.
Developers following these intentions of users try to implement the most reliable and cutting-edge end-to-end encryption technologies that provide secure data transmission. End-to-end encryption app allows reaching the desired level of data security. The best part about E2EE is that even if a third party finds a way to intercept your messages, without a secret key that is stored on your device, there will be no chances to decrypt it.
Since using communication apps in business involves additional risks associated with a data leak, opt for end-to-end encryption software may be crucial. To be sure that the functionality of the chatting app meets your needs and provides the necessary security level, it’s better to prefer the custom WebRTC apps development over using the existing solutions.
frm https://xbsoftware.com/blog/video-messaging-apps-with-end-to-end-encryption-and-all-about-encrypted-text-messages/
-----
端到端加密是如何在视频和文字聊天软件中工作的?
本篇文章会聚焦于端到端加密技术(E2EE),一种确保信息传输安全的可行方法。我们会看一下这项技术的一些基本原则,然后举例介绍一下可以为你提供端到端加密功能的app。
当提到网络上的信息安全问题时,一般用户可能会认为这种问题例如端到端加密,跟他们完全没有关系。确实,在与你的朋友和家人进行不涉及个人信息的聊天时,你可以不用担心你的信息安全和端到端加密的问题。
但是在现今,在互联网上的信息交换除了日常聊天以外,还涉及到网上银行,网上购物,发送电子版的个人证件,电子登机牌等等。这就是为什么即便你没有有价值的企业信息,了解一些通信软件的加密工作也不是浪费时间。如果你想要避免中间人的攻击或者不想被窃取隐私者偷走什么的话,这些企业app中的安全技术就变得十分重要了。
什么是端到端加密?
大多数信息安全方面的专家都承认端到端加密是确保信息安全的最有效的方法之一。根据这个过程,在端到端加密应用之间进行传输的消息只能被这两个软件的使用者所看到,任何第三方都无法看到。这项功能可以通过使用独一无二的数据加密和解密密钥来实现。只有终端用户才能够产生和存储这些密钥。
端到端加密系统被设计用来确保即使攻击者想方设法获得到了传输的信息,它也不能够解密它。端到端加密这项特殊的特点也跟可以存储和发送消息的服务器有关。
因为服务器不能介入密钥的产生过程,所以所有服务器只能“看到”被加密后的消息在用户之间进行传播。所以即便是从服务器处泄露的信息,也没有人能够看懂它。
让我们深入来分析一下端到端加密是如何工作的,好更好的理解其是如何保证数据安全的。
端到端加密是如何工作的?
根据端到端加密的思想,当聊天会话开始时,app的每个用户都会产生两个加密的密钥。这些密钥可以通过PGP(Pretty Good Privacy)应用来产生。自从PGP 1991发布以来,还没有发现它被破解侵入的证据。
第一个密钥是公共密钥(public key)。
端到端加密应用之间互相传递这种密钥。
第二个密钥是私密密钥(secret key)。
私密密钥不会离开设备。通过使用公共密钥,用户只能够对消息进行加密。为了将这些消息解密,根据端到端加密方法,你应该使用对应的私密密钥。
因为公共密钥只是用来进行加密工作的,所以即便是第三方非法获得了公共密钥也没有关系。这就是为什么你可以在公开的通信信道传输公共密钥的原因。
在每个端到端加密应用产生这对密钥,应用互相传递了公共密钥之后,就可以进行安全的通信。数据,比如消息,视频和音频文件在发送给服务器之前,通过在发送端的端到端加密流程。数据直到接收端应用接收它之前储存在服务器上。在接收方通知了服务器数据已经被接收之后,这个数据可以从服务器中删除,也可以在服务器中保留一段时间。
这里有一个好的分析方法可以帮助你更好的理解端到端加密应用是如何工作的。想象两个人正在用外语聊天,第三个人并不懂这门外语(也就是没有加密密钥)所以就不能从听到的话中获得任何有用的信息。
这个比较简单的概念使消息可以在两个或以上数量的终端之间安全的进行传输。加密/解密工作对于现代设备来说不是一个艰巨的任务。甚至移动设备上的应用也能不费力气的进行端到端加密。唯一可能会出现问题的场景就是多人通话。
在这种情况中,如果你想要发送一条信息,你就必须对每个接收方进行加密。接收方的数量越多,你端到端应用需要进行的工作量也就越大。为了避免饮用工作所产生的可能延时,开发者需要进行额外的工作来确保端到端加密工作不会损坏用户体验。
在下一篇文章中,我们会举例分析一些可以给用户提供端到端加密功能的聊天软件。
frm https://webrtc.org.cn/e2ee/
No comments:
Post a Comment